Re: Does this look like a SQL/PHP injection to you?

Dan_Stevens_
Level 10 - Champion Alumni

Does this look like a SQL/PHP injection to you?

While sending myself a sample email, I noticed the “Lead” drop-down completely filled with the following:

0EM50000000RMUx.jpg

These appear to be SQL/PHP injections or DoS attacks.  Does Marketo not have any preventative measures for these entering the system as leads?
Tags (1)
3 REPLIES 3
Anonymous
Not applicable

Re: Does this look like a SQL/PHP injection to you?

Fascinating! 

Marketo does have SQL injection protection, obviously, but apparently not something built-in to keep your database clean from these junk values.

The interesting part to me is that these wouldn't be valid email addresses with their pattern. There is client-side form validation eliminating people manually trying to get past keyboard-slamming in the email field, but apparently not server-side validation of these fields. Someone trying to get past that protection can easily turn off JS and submit whatever they want in the form.

You could easily set up some smart lists/smart campaigns watching for irregular email values if this continues to be a problem, and delete those leads. Any email address containing "<, ', /, &, #, -" etc. I'm sure you could find other patterns within the leads themselves, the other fields that are available, and cast your own comprehensive net to catch/delete these false leads.

You also could set up an alert for "new lead created with weird symbol value" that goes to an admin, if you think there's someone manually trying to hack into your system. That will be an overwhelming amount of emails if it's a bot doing it, though.


Best,
Edward Unthank
Marketing Operations Specialist
Yesler
Anonymous
Not applicable

Re: Does this look like a SQL/PHP injection to you?

Among other, we have nightly smart campaigns to mark any such kind of email address records as invalid.

Dan_Stevens_
Level 10 - Champion Alumni

Re: Does this look like a SQL/PHP injection to you?

After further investigating, there were about 200 of these records that entered our system on Dec. 20th (from a form on our Swedish site).

0EM50000000RMVR.jpg